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IAB Europe’s views: Proposal for a regulation of the European Parliament and of the Council on 
harmonised rules on fair access to and use of data (Data Act) 


1. IAB Europe (Transparency Register: 43167137250-27) represents the broad digital advertising 
and marketing ecosystem, with 25 national associations whose 5000+ members include 
advertisers, agencies, publishers, and technology companies. We work with over 90 companies 
in our direct membership. 


2. This document contains IAB Europe’s views on the proposed Regulation on harmonised rules 
on fair access to and use of data (Data Act). 


3. We acknowledge the declared aim of the European Commission to increase access to and 
further use of data through the proposed “Data Act”, with an end effect of ensuring innovation 
and efficiency of the EU digital market and associated benefits to EU consumers. 


4. Wewould like to draw the EU policymakers’ attention to the following areas that require careful 
review and further consideration: 


a. Scope and definitions proposed (incl. of “product”, and “terminal equipment”) 
b. Interplay with the General Data Protection Regulation (GDPR) 


c. Further restrictions on the use of data to provide value add services (incl. “dark 
exclusion of profiling”, and “exclusion of sharing data with third parties”) 
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patterns”, 


d. Extension to the right of data portability 


5. Definitions that are used to shape the scope of the proposed law. Under Recital 15, the products 
primarily intended to stream, record, or transmit content are excluded from the definition of 


‘product’. The same Recital provides a list of examples of the excluded products. It is unclear if 
other types of devices could fall under the definition of ‘product’ under the regulation or if future 
technology development would have been considered under its definition. Related to this, 
there is a potential inconsistency between these proposals and ambiguity coming from 
understanding ‘product’ as ‘terminal equipment’ defined under the ePrivacy Directive. This 


6. 


ambiguity could have unintended consequences by introducing further restrictions to 
‘products’ within the meaning of the Data Act. 


Interplay with the GDPR definitions and scope. The Data Act introduces new definitions of ‘data 
holder’, ‘data user and ‘data recipient’ and it is unclear how they will articulate with established 
definitions under the GDPR such as ‘data controller and ‘data processor’. We would support the 
harmonisation of concepts under the currently existing legal framework on data protection. 
Related to this, the extensive definition of ‘data’ foresees a definition that includes both 
“personal data” and “non-personal data” applying the same provisions for very different 
categories of data. The Data Act must separate “personal data” and “non-personal data” and 
defer to GDPR for the regulation of “personal data”. A fragmented and unnecessarily complex 
regulatory framework increases the cost of doing business in the EU and is in tension with the 
EU’s policy goal of promoting growth and diversity in digital markets. 


Including further restrictions on the use of data to provide value-added services. Article 6.2 
seeks to set rules for data sharing with third parties, which goes beyond loT data - the data 
coming from the network of connected digital services, known as “smart” devices - and extends 
to personal data under the GDPR. 


a. When it comes to Article 6.2 (a) further clarity is needed as to why other new rules in 
Article 6.2 are necessary to restrain explicitly “dark patterns” when these are already 
regulated under the GDPR. 


b. Articles 6.2(b) and (c) seem to specifically prohibit device manufacturers from exploring 
lawful partnerships with trusted third parties to enhance their products by providing 
value-added, personalised services to consumers via the processing of personal and 
other data. This would foreclose legitimate service development and innovation and 
withhold the associated benefits from EU consumers. This also seems wholly contrary 
to the Data Act’s intention of facilitating data sharing and innovation in loT services and 
products. 


c. Article 6.2 (b) - which forbids third parties from using the data received from the 
‘connected product’ for profiling purposes, unless it is strictly necessary for the delivery 
of the service - is in conflict with the GDPR which regulates automated decision-making, 
including profiling (Article 5, Article 22). Profiling is a lawful and legitimate practice, 
subject to the specific requirements of the GDPR and is essential for all the technologies 
that are powered by data. Article 6.2 (b) is far from the Data Act’s intention of fostering 
innovation and levelling the playing field for all the actors in the market. The issue lies 
in its different treatment of the “data holder” which is allowed to carry out profiling 


activities as compared to the “data recipient” which is prohibited to do so under Article 
6.2 (b). 


d. Under the current EU privacy and data protection legal framework users of connected 
products, such as cars, smartwatches and electricity meters, benefit from the personal 
data collected through their use of ‘connected products’. The data that is generated is 
then made available to the user through a user-facing interface such as an app and can 
help users in answering questions such as “Do | need to get my car repaired?”, “How 
many steps have | made today?” or “How much energy am | consuming per month?”. 
This data can also serve in facilitating users’ decision-making. Ultimately, preventing 
third parties from using the data received from the ‘connected product’ for profiling 
purposes could cause unintended consequences and affect the overall digital user 
experience. 


e. In order to avoid the unintended consequences link to the application of Article 6.2 (b) 
we would like to suggest the following changes to the text of the provision: “Article 6.2 
(b) use the data it receives for the profiling of natural persons within the meaning of Article 
4(4) of Regulation (EU) 2016/679 in breach with the provisions of the GDPR including 


articles 21 and 22 unless-+tis-necessaryto-provide the service requested by the user; ”. 


8. The right to data portability. The extension of the right to data portability under Articles 4, 5 and 
6 allows data subjects to move their data between controllers, while we provide that enhances 
the users' rights under the GDPR, we would support provisions on the right to data portability 
that would take into account if the access is ‘technically feasible’ as this exemption is excluded 
under Recital 68 of the GDPR. We recognize the importance of regulating in light of the technical 
possibilities and developments of companies. 


9. We look forward to engaging with the EU policymakers and legislators on the aforementioned 
areas of the Data Act, with a prime objective of contributing to an optimal shaping of the 
regulation that ensures a good interplay with the already existing EU legal framework on 
privacy and data protection. 


